* Mon Apr 18 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-183

- Allow modemmanager to talk to logind - Dontaudit tor daemon needs net_admin capability. rhbz#1311788 - Allow GDM write to event devices. This rule is needed for GDM, because other display managers runs the X server as root, GDM instead runs the X server as the unprivileged user, within the user session. rhbz#1232042 - Xorg now writes content in users homedir.
2016-04-18 13:42:21 +02:00 · 2016-04-18 13:42:21 +02:00 · 64f8164852
parent 4c61782def
commit 64f8164852
4 changed files with 69 additions and 37 deletions
--- a/docker-selinux.tgz
+++ b/docker-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -29116,16 +29116,17 @@ index cc877c7..b8e6e98 100644
 +	xserver_rw_xdm_pipes(ssh_agent_type)
 +')
 diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index 8274418..53f66a4 100644
+index 8274418..5f31270 100644
 --- a/policy/modules/services/xserver.fc
 +++ b/policy/modules/services/xserver.fc
-@@ -2,13 +2,38 @@
+@@ -2,13 +2,39 @@
 # HOME_DIR
 #
 HOME_DIR/\.fonts\.conf	--	gen_context(system_u:object_r:user_fonts_config_t,s0)
 +HOME_DIR/\.fonts\.d(/.*)?	gen_context(system_u:object_r:user_fonts_config_t,s0)
 HOME_DIR/\.fonts(/.*)?		gen_context(system_u:object_r:user_fonts_t,s0)
 +HOME_DIR/\.local/share/fonts(/.*)?		gen_context(system_u:object_r:user_fonts_t,s0)
+HOME_DIR/\.local/share/xorg(/.*)?	gen_context(system_u:object_r:xdm_home_t,s0)
 +HOME_DIR/\.fontconfig(/.*)?	gen_context(system_u:object_r:user_fonts_cache_t,s0)
 HOME_DIR/\.fonts/auto(/.*)?	gen_context(system_u:object_r:user_fonts_cache_t,s0)
 HOME_DIR/\.fonts\.cache-.* --	gen_context(system_u:object_r:user_fonts_cache_t,s0)
@ -29158,7 +29159,7 @@ index 8274418..53f66a4 100644
 
 #
 # /dev
-@@ -22,13 +47,21 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -22,13 +48,21 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 /etc/gdm(3)?/PreSession/.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/gdm(3)?/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
 
@ -29181,7 +29182,7 @@ index 8274418..53f66a4 100644
 /etc/X11/[wx]dm/Xreset.* --	gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/X11/[wxg]dm/Xsession --	gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/X11/wdm(/.*)?		gen_context(system_u:object_r:xdm_rw_etc_t,s0)
-@@ -46,26 +79,35 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -46,26 +80,35 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 # /tmp
 #
 
@ -29223,7 +29224,7 @@ index 8274418..53f66a4 100644
 
 /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
 
-@@ -91,19 +133,34 @@ ifndef(`distro_debian',`
+@@ -91,19 +134,34 @@ ifndef(`distro_debian',`
 /var/[xgkw]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
 
 /var/lib/gdm(3)?(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
@ -29262,7 +29263,7 @@ index 8274418..53f66a4 100644
 /var/run/xdm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/lxdm\.auth	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/lxdm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
-@@ -111,7 +168,18 @@ ifndef(`distro_debian',`
+@@ -111,7 +169,18 @@ ifndef(`distro_debian',`
 /var/run/slim.*			gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/xauth(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/xdmctl(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
@ -31042,7 +31043,7 @@ index 6bf0ecc..e6be63a 100644
 +')
 +
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..436b1e0 100644
+index 8b40377..fe6657c 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
@@ -26,28 +26,66 @@ gen_require(`
@ -32099,7 +32100,7 @@ index 8b40377..436b1e0 100644
 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -638,25 +1128,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -638,25 +1128,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 files_search_var_lib(xserver_t)
 
@ -32118,6 +32119,11 @@ index 8b40377..436b1e0 100644
 manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
 logging_log_filetrans(xserver_t, xserver_log_t, file)
 +manage_files_pattern(xserver_t, xdm_log_t, xdm_log_t)
+
+manage_dirs_pattern(xserver_t, xdm_home_t, xdm_home_t)
+manage_files_pattern(xserver_t, xdm_home_t, xdm_home_t)
+manage_lnk_files_pattern(xserver_t, xdm_home_t, xdm_home_t)
+gnome_data_filetrans(xserver_t, xdm_home_t, dir, "xorg")
 
 kernel_read_system_state(xserver_t)
 kernel_read_device_sysctls(xserver_t)
@ -32136,7 +32142,7 @@ index 8b40377..436b1e0 100644
 corenet_all_recvfrom_netlabel(xserver_t)
 corenet_tcp_sendrecv_generic_if(xserver_t)
 corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1174,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1179,28 @@ dev_rw_apm_bios(xserver_t)
 dev_rw_agp(xserver_t)
 dev_rw_framebuffer(xserver_t)
 dev_manage_dri_dev(xserver_t)
@ -32168,7 +32174,7 @@ index 8b40377..436b1e0 100644
 
 # brought on by rhgb
 files_search_mnt(xserver_t)
-@@ -705,6 +1207,14 @@ fs_search_nfs(xserver_t)
+@@ -705,6 +1212,14 @@ fs_search_nfs(xserver_t)
 fs_search_auto_mountpoints(xserver_t)
 fs_search_ramfs(xserver_t)
 
@ -32183,7 +32189,7 @@ index 8b40377..436b1e0 100644
 mls_xwin_read_to_clearance(xserver_t)
 
 selinux_validate_context(xserver_t)
-@@ -718,20 +1228,18 @@ init_getpgid(xserver_t)
+@@ -718,20 +1233,18 @@ init_getpgid(xserver_t)
 term_setattr_unallocated_ttys(xserver_t)
 term_use_unallocated_ttys(xserver_t)
 
@ -32207,7 +32213,7 @@ index 8b40377..436b1e0 100644
 
 userdom_search_user_home_dirs(xserver_t)
 userdom_use_user_ttys(xserver_t)
-@@ -739,8 +1247,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -739,8 +1252,6 @@ userdom_setattr_user_ttys(xserver_t)
 userdom_read_user_tmp_files(xserver_t)
 userdom_rw_user_tmpfs_files(xserver_t)
 
@ -32216,7 +32222,7 @@ index 8b40377..436b1e0 100644
 ifndef(`distro_redhat',`
 	allow xserver_t self:process { execmem execheap execstack };
 	domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1291,54 @@ optional_policy(`
+@@ -785,17 +1296,54 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -32273,7 +32279,7 @@ index 8b40377..436b1e0 100644
 ')
 
 optional_policy(`
-@@ -803,6 +1346,10 @@ optional_policy(`
+@@ -803,6 +1351,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -32284,7 +32290,7 @@ index 8b40377..436b1e0 100644
 	xfs_stream_connect(xserver_t)
 ')
 
-@@ -818,18 +1365,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,18 +1370,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
 
 # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
 # handle of a file inside the dir!!!
@ -32309,7 +32315,7 @@ index 8b40377..436b1e0 100644
 can_exec(xserver_t, xkb_var_lib_t)
 
 # VNC v4 module in X server
-@@ -842,26 +1388,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1393,21 @@ init_use_fds(xserver_t)
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
 userdom_read_user_home_content_files(xserver_t)
@ -32344,7 +32350,7 @@ index 8b40377..436b1e0 100644
 ')
 
 optional_policy(`
-@@ -912,7 +1453,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1458,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
 allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
 # operations allowed on my windows
 allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@ -32353,7 +32359,7 @@ index 8b40377..436b1e0 100644
 # operations allowed on all windows
 allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
 
-@@ -966,11 +1507,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1512,31 @@ allow x_domain self:x_resource { read write };
 # can mess with the screensaver
 allow x_domain xserver_t:x_screen { getattr saver_getattr };
 
@ -32385,7 +32391,7 @@ index 8b40377..436b1e0 100644
 tunable_policy(`! xserver_object_manager',`
 	# should be xserver_unconfined(x_domain),
 	# but typeattribute doesnt work in conditionals
-@@ -992,18 +1553,148 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1558,148 @@ tunable_policy(`! xserver_object_manager',`
 	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
 ')
 
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -49519,7 +49519,7 @@ index b1ac8b5..24782b3 100644
 +	')
 +')
 diff --git a/modemmanager.te b/modemmanager.te
-index d15eb5b..6e2a403 100644
+index d15eb5b..7f3c31d 100644
 --- a/modemmanager.te
 +++ b/modemmanager.te
@@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t)
@ -49561,6 +49561,14 @@ index d15eb5b..6e2a403 100644
 
 logging_send_syslog_msg(modemmanager_t)
 
+@@ -56,3 +63,7 @@ optional_policy(`
+ 	udev_read_db(modemmanager_t)
+ 	udev_manage_pid_files(modemmanager_t)
+ ')
+
+optional_policy(`
+	systemd_dbus_chat_logind(modemmanager_t)
+')
 diff --git a/mojomojo.fc b/mojomojo.fc
 index 7b827ca..5ee8a0f 100644
 --- a/mojomojo.fc
@ -107581,7 +107589,7 @@ index 61c2e07..3b86095 100644
 +	')
 ')
 diff --git a/tor.te b/tor.te
-index 5ceacde..40e9303 100644
+index 5ceacde..9353adb 100644
 --- a/tor.te
 +++ b/tor.te
@@ -13,6 +13,13 @@ policy_module(tor, 1.9.0)
@ -107608,7 +107616,16 @@ index 5ceacde..40e9303 100644
 ########################################
 #
 # Local policy
-@@ -77,7 +87,6 @@ corenet_tcp_sendrecv_generic_node(tor_t)
+@@ -48,6 +58,8 @@ allow tor_t tor_etc_t:dir list_dir_perms;
+ allow tor_t tor_etc_t:file read_file_perms;
+ allow tor_t tor_etc_t:lnk_file read_lnk_file_perms;
+ 
+dontaudit tor_t self:capability { net_admin };
+
+ manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
+ manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
+ manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
+@@ -77,7 +89,6 @@ corenet_tcp_sendrecv_generic_node(tor_t)
 corenet_udp_sendrecv_generic_node(tor_t)
 corenet_tcp_bind_generic_node(tor_t)
 corenet_udp_bind_generic_node(tor_t)
@ -107616,7 +107633,7 @@ index 5ceacde..40e9303 100644
 corenet_sendrecv_dns_server_packets(tor_t)
 corenet_udp_bind_dns_port(tor_t)
 corenet_udp_sendrecv_dns_port(tor_t)
-@@ -85,6 +94,7 @@ corenet_udp_sendrecv_dns_port(tor_t)
+@@ -85,6 +96,7 @@ corenet_udp_sendrecv_dns_port(tor_t)
 corenet_sendrecv_tor_server_packets(tor_t)
 corenet_tcp_bind_tor_port(tor_t)
 corenet_tcp_sendrecv_tor_port(tor_t)
@ -107624,7 +107641,7 @@ index 5ceacde..40e9303 100644
 
 corenet_sendrecv_all_client_packets(tor_t)
 corenet_tcp_connect_all_ports(tor_t)
-@@ -98,19 +108,22 @@ dev_read_urand(tor_t)
+@@ -98,19 +110,22 @@ dev_read_urand(tor_t)
 domain_use_interactive_fds(tor_t)
 
 files_read_etc_runtime_files(tor_t)
@ -116833,7 +116850,7 @@ index 0928c5d..d270a72 100644
 
 userdom_dontaudit_use_unpriv_user_fds(xfs_t)
 diff --git a/xguest.te b/xguest.te
-index a64aad3..fe078eb 100644
+index a64aad3..d923154 100644
 --- a/xguest.te
 +++ b/xguest.te
@@ -6,46 +6,47 @@ policy_module(xguest, 1.2.0)
@ -116902,7 +116919,7 @@ index a64aad3..fe078eb 100644
 		storage_raw_read_removable_device(xguest_t)
 		storage_raw_write_removable_device(xguest_t)
 	',`
-@@ -54,9 +55,22 @@ ifndef(`enable_mls',`
+@@ -54,9 +55,25 @@ ifndef(`enable_mls',`
 ')
 
 optional_policy(`
@ -116913,6 +116930,9 @@ index a64aad3..fe078eb 100644
 +kernel_dontaudit_request_load_module(xguest_t)
 +kernel_read_software_raid_state(xguest_t)
 +
+#GDM runs the X server as the unprivileged user.
+dev_rw_input_dev(xguest_t)
+
 +tunable_policy(`selinuxuser_execstack',`
 +	allow xguest_t self:process execstack;
 +')
@ -116926,7 +116946,7 @@ index a64aad3..fe078eb 100644
 		files_dontaudit_getattr_boot_dirs(xguest_t)
 		files_search_mnt(xguest_t)
 
-@@ -65,10 +79,9 @@ optional_policy(`
+@@ -65,10 +82,9 @@ optional_policy(`
 		fs_manage_noxattr_fs_dirs(xguest_t)
 		fs_getattr_noxattr_fs(xguest_t)
 		fs_read_noxattr_fs_symlinks(xguest_t)
@ -116938,7 +116958,7 @@ index a64aad3..fe078eb 100644
 	')
 ')
 
-@@ -84,12 +97,25 @@ optional_policy(`
+@@ -84,12 +100,25 @@ optional_policy(`
 	')
 ')
 
@ -116950,23 +116970,23 @@ index a64aad3..fe078eb 100644
 +
 +optional_policy(`
 +	colord_dbus_chat(xguest_t)
-+')
-+
-+optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	gnomeclock_dontaudit_dbus_chat(xguest_t)
 +	chrome_role(xguest_r, xguest_t)
 +')
 +
 +optional_policy(`
 +    thumb_role(xguest_r, xguest_t)
- ')
- 
- optional_policy(`
-	gnomeclock_dontaudit_dbus_chat(xguest_t)
+')
+
+optional_policy(`
 +	dbus_dontaudit_chat_system_bus(xguest_t)
 ')
 
 optional_policy(`
-@@ -97,75 +123,78 @@ optional_policy(`
+@@ -97,75 +126,78 @@ optional_policy(`
 ')
 
 optional_policy(`
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 182%{?dist}
+Release: 183%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -653,6 +653,12 @@ exit 0
 %endif

 %changelog
+* Mon Apr 18 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-183
+- Allow modemmanager to talk to logind
+- Dontaudit tor daemon needs net_admin capability. rhbz#1311788
+- Allow GDM write to event devices. This rule is needed for GDM, because other display managers runs the X server as root, GDM instead runs the X server as the unprivileged user, within the user session. rhbz#1232042
+- Xorg now writes content in users homedir.
+
 * Fri Apr 08 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-182
 - rename several contrib modules according to their filenames
 - Add interface gnome_filetrans_cert_home_content()